Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2020
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Compromised Dozens of News Websites as Part of Ransomware Campaign

Malware used to download WastedLocker on target networks was hosted on legit websites belonging to one parent company, Symantec says.

Attackers recently compromised dozens of US newspaper websites belonging to the same parent company and used the sites to distribute malicious code for downloading ransomware on networks belonging to targeted organizations across multiple sectors.

Several major US organizations that were recently found infected with the malware appear to have been initially compromised when their employees visited one of the news websites, Symantec said.

The security vendor last week had reported discovering "SocGholish," a JavaScript-based malware masquerading as a software update, on networks belonging to at least 31 major enterprise customers. A Russia-based group called Evil Corp. is using the malware as part of an attack sequence to download a new ransomware strain called WastedLocker on target networks, Symantec had noted. 

Among the Symantec customers impacted in the campaign are 11 publicly listed organizations, including eight in the Fortune 500 list. A plurality of the victims are in the manufacturing sector, though organizations from other industries were hit as well, including financial services, healthcare, energy, and transportation. In each case, the attacks were detected and stopped before the ransomware deployed.

Had the attacks succeeded, the victims would have likely lost millions of dollars in downtime and damages. The attacks could also have had a cascading effect on the US supply chain, Symantec said. "The end goal of these attacks is to cripple the victim's IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion-dollar ransom," the vendor said in its report last week.

Evil Corp. is a well-known threat actor believed responsible for attacks — including those associated with Dridex and Zeus ransomware samples — that have cumulatively cost victims hundreds of millions of dollars in damages. A US federal court last year indicted two members of the gang on charges related to their long-standing criminal campaigns. Both remain at large — one of them with a $5 million US reward on his head.

In its initial report (updated this week), Symantec said its researchers had discovered at least 150 legitimate but previously hacked websites that were being used to host SocGholish and to download it on systems belonging to visitors to these sites.

According to the vendor, its continuing investigation of the campaign showed dozens of the compromised websites were actually news sites belonging to one parent company. Symantec notified the organization of the issue, and the malicious code has since been removed. The fact that as many as 31 of Symantec's enterprise customers were targeted in the attacks suggests that Evil Corp.'s overall WastedLocker campaign is very broad in scope, Symantec noted.

The NCC Group, which has also been tracking the WastedLocker campaign, has described it as targeted and beginning in May 2020. According to researchers from both Symantec and NCC Group, the attackers from Evil Corp. have been using a combination of custom tools and legitimate processes and services to deploy the ransomware to communicate with command-and-control servers and to move laterally on infected networks.

The tools being used in the campaign include PowerShell scripts, the PsExec Windows Sysinternals tool, and the Windows Management Instrumentation Command Line Utility (wmic dot exe), which is being used to disable real-time monitoring and scanning of downloaded files. In many of the attacks, the threat actors have attempted to disable Windows Defender and associated services before deploying the ransomware.

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9079
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.